Unauthenticated Remote code Execution in GitLabs is exploited in wild
Summary
CVE-2021-22205 is a critical remote code execution vulnerability in the service’s web interface. This was first addressed in April by GitLabs on the published Critical Security Release. “An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that is passed to a file parser which resulted in a remote command execution. This is a critical severity issue. It is now mitigated in the latest release and is assigned CVE-2021-22205.” Dominic Couture from GitLabs stated is the security release.
However, the initial assigned score was CVSSv3 score of 9.9 but in September GitLab revised the CVSSv3 score to 10.0. This change of score was due to a change from authenticated to unauthenticated issue. The first exploitation started in June 2021 where hackers exploited GitLabs servers to create new users and giving admin rights. To use this vulnerability threat actors doesn’t have to authenticate, valid HTTP endpoint or use CSRF token.
Rapid7 published a report analyzing this situation as there are number of unpatched systems.
“We can see just short of 60,000 internet-facing GitLab installations. Of the 60,000 this is what we found:
21% of installs are fully patched against this issue.
50% of installs are not patched against this issue.
29% of installs may or may not be vulnerable.”
The following versions are patched are admins are advised to update as soon as possible. Any earlier versions are exploitable whether on GitLab Enterprise Edition (EE) or GitLab Community Edition (CE).
- 13.10.3
- 13.9.6
- 13.8.8
Impact
GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
Remediate
User are advised to upgrade the patched versions (13.10.3, 13.9.6, 13.8.8) of GitLabs as soon as possible and it is recommended to place it behind a VPN if it’s required to access GitLab from the internet
Reference